Skip to content

NDNCERT Protocol 0.3 Renewal Revocation

Jump to bottom
Zhiyi Zhang edited this page Mar 28, 2020 · 6 revisions

NDNCERT Protocol 0.3 Renewal and Revocation

RENEW step

Specification

RENEW is for a requester to renew its certificate with the CA. The Interest and Data format in RENEW are almost identical to NEW except for the packet names. RENEW step works in the same way as in NEW.

Packet Format

Interest format:

Field Description
Name /<CA-prefix>/CA/RENEW/<ParameterSha256Digest>
ApplicationParameters TLV format of value as defined in 2.3.2
Can Be Prefix False
Must Be Fresh True
Signature Signed by the private key whose public key is going to be certified by the CA

Data format:

Field Description
Name /<CA-prefix>/CA/RENEW/<ParameterSha256Digest>
Content TLV format of value as defined in 2.3.2
Signature Signed by CA's identity key

Renewal Protocol

Certificate renewal contains two steps: RENEW and CHALLENGE.

Requester                 CA
   |                       |
   |---------RENEW-------->|
   |<----------------------|
   |                       |
   |-------CHALLENGE------>|
   |<----------------------|

From a requester's perspective:

  • RENEW. The requester prepares a (new) pair of asymmetric key (e.g., RSA, ECC), use the private key to sign the public key into a self-signed certificate, and start the application by taking NEW step.
  • CHALLENGE. The requester selects one challenge among available challenges offered by the CA and finish the in-band or out-of-band identity verification. Once the challenge is accomplished, the certificate will be issued.

From a CA's perspective:

  • RENEW. The CA verifies the self-signed certificate from the requester and collects all the available challenges back to the requester.
  • CHALLENGE. According to the challenge selected by the requester, the CA sets up the challenge and verifies
    • the requester already owns a certificate issued by the CA or
    • the requester's ownership of the identity.

Revocation Protocol

Certificate revocation can be triggered by

  • The CA who has issued the certificate
  • The owner of the certificate
  • Any one who can prove the ownership of the private key that is corresponding to the public key in the certificate.
Clone this wiki locally